Highest Voted Questions - Cryptography Stack Exchange

20

votes

2 answers

Is the encryption of a hash a good MAC?

At university we were told that it is a bad idea to implement a MAC by simply concatenating a key with the data to sign and to run it through a hash function (e.g. $s = \mathrm{hash}(k||\mathrm{data})$ or $s = \mathrm{hash}(\mathrm{data}||k)$). The…

asked Jul 13 '12 at 10:21

Daniel

20

votes

3 answers

Cryptanalysis to reverse engineer a hash?

I understand this may not be the best place to ask a question like this, but I believe that this community may be the best/only place I can ask such a question. I have inputs and outputs from an in-house hash developed years ago and the developer…

asked Aug 03 '11 at 15:18

user316

211
1
2
5

20

votes

1 answer

Why must IV/key-pairs not be reused in CTR mode?

Many sources mention that IVs must not be reused with the same key in CTR mode, for encrypting 2 different pieces of data, because that totally destroys security - but I haven't found an explanation so far as to why this is the case. The issue is…

asked Jun 20 '12 at 17:36

Dexter

637
1
6
10

20

votes

1 answer

Does Curve25519 only provide 112 bit security?

In a recent mail on the IETF CFRG mailing list it was claimed that: The (currently missing) security considerations (or somewhere) should describe why Curve25519 is ok when used in contexts where we'd otherwise ask for 128 bit strength,…

asked Aug 27 '15 at 17:01

SEJPM

45,967
7
99
205

20

votes

3 answers

Collision or second preimage for the ChaCha core?

Daniel J. Bernstein's ChaCha core is an evolution of the Salsa20 core. Both are functions over the set of 512-bit bitstrings, partitioned as sixteen 32-bit words. Can we exhibit collisions, or second-preimages (with implies the former), for the…

asked Jun 21 '15 at 20:16

fgrieu

140,762
12
307
587

20

votes

2 answers

Why do new versions of TLS use an explicit IV for CBC suites?

SSL 3.0 and TLS 1.0 used an insecure scheme to generate implicit IVs when encrypting records in CBC mode: they used the last part of the previous record, a value that can be predicted by the attacker. This attack was demonstrated in the BEAST…

asked May 20 '12 at 12:43

CodesInChaos

24,841
2
89
128

20

votes

2 answers

Can Grover's algorithm be parallelized?

Grover's algorithm can search an unordered list of length $N$ in time $\sqrt{N}$ on a quantum computer. Applied to cryptography, this means that it can recover n-bit keys and find preimages for n-bit hashes with a cost of $2^{n/2}$. But the basic…

asked Apr 22 '15 at 15:57

CodesInChaos

24,841
2
89
128

20

votes

1 answer

uniform vs. non-uniform PPT

I'm trying to understand PPT and in particular what the differences are in uniform and non-uniform PPT's. First, this is how I see it: A probabilistic polynomial-time (PPT) algorithm $A$ is an algorithm that runs in polynomial time but also has…

asked Apr 01 '15 at 13:00

hsalin

485
4
7

20

votes

3 answers

Can I use a one time pad key twice with random plaintext?

I understand the basics of OTP: $|\text{key space}| = |\text{plaintext space}|$ implies perfect security, key reuse destroys this. Cryptanalysis on the $N$-Time Pad for $N > 1$ involves finding patterns in the ciphertext; this, however, all seems…

asked Apr 03 '12 at 13:48

mfsiega

363
2
7

20

votes

4 answers

Is compressing data prior to encryption necessary to reduce plaintext redundancy?

As explained in William Stallings' Book, in PGP encryption is done after compression, since it reduces redundancy. I couldn't relate encryption strength with redundancy. Could anyone explain more on that?

asked Mar 25 '12 at 07:16

user5507

1,913
5
20
29

20

votes

4 answers

Does the SHA hash function always generate a fixed length hash?

I'm using the SHA1/2 family of algorithms for a particular project. I was wondering if all the SHA algorithms return a fixed length hash regardless of the length of the data.

asked Mar 20 '12 at 09:44

Robin Rodricks

491
2
4
9

20

votes

2 answers

Difference between "Signature Algorithm" and "Signature Hash Algorithm" in X.509

What's the difference between the "Signature Algorithm" and the "Signature Hash Algorithm" found in an X.509 certificate? Why does it need a "Signature Hash Algorithm"? Edit: I'm creating the X.509 cert with PHP 5.2. When I change the 'digest_alg'…

asked Mar 09 '12 at 02:10

HomeCoder

343
1
2
9

20

votes

2 answers

Does SHA-1024 hash exist?

Does SHA-1024 cryptographic hash function exist similarly to SHA-512? If not, what's the reason for that? Links: SHA-2 at Wikipedia SHA-3 at Wikipedia

asked Aug 18 '14 at 13:18

kenorb

647
1
9
19

20

votes

2 answers

Can I use HMAC-SHA1 in counter mode to make a stream cipher?

Say I have an embedded device which is only capable of doing HMAC-SHA1 transformations (that device is, in fact, a YubiKey). Would it be secure to feed it like a block cipher in counter mode to get a random pad suitable as an stream cipher? Of…

asked Jan 09 '14 at 12:49

xxxxxxxxx

558
2
11

20

votes

3 answers

Is it safe to create a public ID by hashing a private key?

In an application, a curve25519 private key is the only stable identifier for an individual. I don't have readily have access to the corresponding public key. Would it be safe to generate a public identifier by hashing this private key? E.g. ID =…

asked Aug 26 '23 at 21:35

Moss Richardson

303
1
1
4

Most Popular